This is implemented through the https:// prefix in the address bar or embedded Uniform Resource Locator (URL) web page links in the vast majority of modern web browser software.

The encryption software is built in by default into your web browser and operating system, but for an encrypted session to be established, a Digital Certificate needs to be installed on the web server.

These bind an official web server DNS domain name and and organisation name to a particular asymmetric public encryption key, which then allows your web browser to establish an encrypted session with the web server, which protects that session with a private, symmetric cryptographic algorithm key e.g. AES, 3DES, RC4 etc.

You can create your own Digital Certificate and "self sign" it, but most web browser software will then flash up various warnings and ask you to make "do I really trust this website" decisions, which will certainly scare off any cautious people.

Most reputable organisations fork out some money for a Digital Certificate bought from one of the main Certification Authorities, which at least insist on (usually) only issuing a Digital Certificate to the domain name owners of the particular web server and perhaps running some sort of elementary credit check / company name and address check.

Since these major Certificate Authorities are trusted by default by your web browser software (you can usually choose to remove them from the trusted list, if you can be bothered) no warnings will frighten off potential customers etc, if a current Digital Certificate is in use.

Since such Digital Certificates are bought and renewed usually on an annual or multi-year basis, when they expire, then Invalid Certificate or Expired Certificate warnings automatically appear.

Professional, trustworthy organisations do not let their Digital Certificates expire, they purchase a new Digital Certificate before hand either to be valid from the expiry of the old one, or more usually, with an overlap period, so that they have time to correct any administrative or technical configuration errors with the new Certificate, whilst the old one is still valid.

A new Digital Certificate usually requires the generation or installation of a new Private Encryption Key on each of the Web Servers which it applies to. This may require physical access to the data centre, or at least secure remote control of those servers.

Will they replace their obsolete, potentially forgeable RapidSSL MD5 signed Digital certificate with a new one ?

They have until 16:14:01 Greenwich Mean Time today, Saturday 12th June 2010 to do so,

If they do not do this , then their https://secure.wikileaks.org web form, the only secure method of uploading "whistleblower leaks" via their website will be broken, as they seem to have abandoned both Tor Hidden Services and PGP email / file encryption

In an attack on MD5 published in December 2008, a group of researchers
used a new technique to fake the validity of SSL certificates. US-CERT
of the U.S. Department of Homeland Security said MD5 "should be
considered cryptographically broken and unsuitable for further use, and
most U.S. government applications will be required to move to the SHA-2
family of hash functions after 2010. This broken md5 hash function is
however still in use by the https://secure.wikileaks.org/ SSL connection.

There really is no excuse for using a relatively weak cryptographic hash algorithm in the Digital Certificate which is supposed to protect the encrypted SSL/TLS communications internet sessions of the WikiLeakS.org whistleblower leak submission web pages.

Since the the resources of several Government intelligence agencies are very likely to have been deployed against this encrypted traffic, surely WikiLeakS.org can afford to pay for a proper Digital Certificate using an as yet currently unbroken secure cryptographic hash function e.g. SHA-1 or the forthcoming SHA-2 ?

Surely they can spend a few tens or hundreds of dollars , out of the $360,000 raised out of the the target of / $600.000 this year on some proper Digital Certificates ?

Interestingly, the parallel computing resources used to create the MD5 signatures and fake example Digital Certificates, are probably not too different to that used by WikiLeakS.org and their friends to supposedly password guess and decrypt the Iraq Apache helicopter attack video.

If an attacker duplicated the secure.WikiLeakS.org Digital Certificate, something which is obviously possible with the current MD5 hash, but not with the stronger versions which most other SSL/TLS protected websites now use, then they could do a Man in the middle attack on the WikiLeakS.org "secure" content submission system.

One of the potential weakness of this system has always been its vulnerability to Communications Traffic Analysis, since SSL/TLS encryption does not hide the source and destination IP addresses.

SSL/TLS encryption does not hide the amount of data which is transmitted.,so it can be sometimes be very obvious, which IP address uploaded a particular whistleblower leak document, if it is of a characteristic size, on a particular date, which may narrow down the list of suspects for a "leak" investigation.

To be fair to WikiLeakS.org, they used to also offer a much more Communications Traffic analysis resistant encrypted submission method via a Tor Hidden Service:

but this has not been publicised (presumably as it no longer works) since last Christmas, when the WikiLeakS.org main website was shut down, to beg for money.

Since the WikiLeakS.org activists still refuse to publish a new PGP Public Encryption key, it seems that WikiLeakS.org is now less secure than they used to be.

If your life or even if just your career, might be threatened by exposure as a WikiLeakS.org whistleblower, you should think very carefully before submitting any "whistleblower leak" documents via the currently crippled WikiLeakS.org website.

Neither of the issuing Trusted Third Parties i.e. RapidSSL and Equifax, now have any legal duty to guarantee the integrity of an expired Digital Certificate. Most web browser software will pop up warning messages, which will, inevitably, either put some people off from reading the website or from submitting new documents.

Since even the Talk pages require the use of https://secure.wikileaks.org, there is now no method of submitting comments or analyses "securely" either.

Technically you can still use these expired encryption credentials to send messages or documents to WikiLeakS.org, but why should anyone trust them ?

Even a self-signed, but valid Digital Certificate, (with appropriate documentation as to why you should trust it) , would be preferable to a standard commercial Digitial Certificate, which has obviously expired. By convention and common usage, such an invalid Digital Certificate, and by extension the formerly "secure" webserver on which it resides, and can no longer to be trusted.

Tags:

About this blog

This blog here at WikiLeak.org (no "S") discusses the ethical and technical issues raised by the WikiLeakS.org project, which is trying to be a resource for whistleblower leaks, by providing "untraceable mass document leaking and analysis".

These are bold and controversial aims and claims, with both pros and cons, especially for something which crosses international boundaries and legal jurisdictions.

This blog is not part of the WikiLeakS.org project, and there really are no copies of leaked documents or files being mirrored here.

Email Contact

Please feel free to email us your views about this website or news about the issues it tries to comment on:

LeakDirectory.org

Now that the WikiLeakS.org project is defunct, so far as new whistleblower are concerned, what are the alternatives ?

The LeakDirectory.org wiki page lists links and anonymity analyses of some of the many post-wikileaks projects.

There are also links to better funded "official" whistlblowing crime or national security reporting tip off websites or mainstream media websites. These should, in theory, be even better at protecting the anonymity and security of their informants, than wikileaks, but that is not always so.

New whistleblower website operators or new potential whistleblowers should carefully evaluate the best techniques (or common mistakes) from around the world and make their personal risk assessments accordingly.

Hints and Tips for Whistleblowers and Political Dissidents

The WikiLeakS.org Submissions web page provides some methods for sending them leaked documents, with varying degrees of anonymity and security. Anybody planning to do this for real, should also read some of the other guides and advice to political activists and dissidents:

Please take the appropriate precautions if you are planning to blow the whistle on shadowy and powerful people in Government or commerce, and their dubious policies. The mainstream media and bloggers also need to take simple precautions to help preserve the anonymity of their sources e.g. see Spy Blog's Hints and Tips for Whistleblowers - or use this easier to remember link: http://ht4w.co.uk

WikiLeakS Twitter feeds

The WikiLeakS.org website does not stay online all of the time, especially when there is a surge of traffic caused by mainstream media coverage of a particularly newsworthy leak.

Recently, they have been using their new Twitter feeds, to selectively publicise leaked documents to the media, and also to report on the status of routing or traffic congestion problems affecting the main website in Stockholm, Sweden.

N.B.the words "security" or "anonymity" and "Twitter" are mutually exclusive:

Campaign Button Links

Gary McKinnon is facing extradition to the USA under the controversial Extradition Act 2003, without any prima facie evidence or charges brought against him in a UK court. Try him here in the UK, under UK law.

FreeFarid.com - Kafkaesque extradition of Farid Hilali under the European Arrest Warrant to Spain

Parliament Protest blog - resistance to the Designated Area restricting peaceful demonstrations or lobbying in the vicinity of Parliament.

The Big Opt Out Campaign - opt out of having your NHS Care Record medical records and personal details stored insecurely on a massive national centralised database.

Tor - the onion routing network - "Tor aims to defend against traffic analysis, a form of network surveillance that threatens personal anonymity and privacy, confidential business activities and relationships, and state security. Communications are bounced around a distributed network of servers called onion routers, protecting you from websites that build profiles of your interests, local eavesdroppers that read your data or learn what sites you visit, and even the onion routers themselves."

Home Office Watch blog, "a single repository of all the shambolic errors and mistakes made by the British Home Office compiled from Parliamentary Questions, news reports, and tip-offs by the Liberal Democrat Home Affairs team."